Question

Hi, I do malware sampling with Steven and Polonus. I found 15 undetected files all for Linux. Where do I report them and too who? I’m using Avast! for Windows. So that’d be useless.

Report them to: virus[at]avast.com

That’s what I thought. Thanks Asyn

You’re welcome.

That’s a lot of Linux specific malware.

Do you think you could also submit them to virustotal and post back the links so that we can see what and who is detecting?

Thanks

Hi Mag,

As I am not at my primary machine and on a very unsecure system right now I cannot. Steven Winderlich asked for the DL and to do Malware Analysis. He might be able to post VT links. If not It’ll take me 2ish hours to get them for you.

Note: As I am not familiar with Linux malware, I don’t know what an “exe” file is in comparison to windows. So the rest of the files might just be random files.

Here are Virustotal Links:

https://www.virustotal.com/de/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1388931790/
https://www.virustotal.com/de/file/2da21e720ea25ed6c01c80d4ec505171e28bc600b47c734dab4a40455a8ef51c/analysis/1388931880/
https://www.virustotal.com/de/file/14afcf4d9a22b2d884ecfc6ff76c9ab19f308dfb9ae8c0b2fc2ea5b004369256/analysis/1388931972/
https://www.virustotal.com/de/file/2965a5d3dcbf6b84aadf1b9cba8933f4c001337de98bd5026509cc566364d559/analysis/1388932047/
https://www.virustotal.com/de/file/a6f344ec62c9172377e1bbc237bfd2bc7df129a38f83a0686f651fc62545aea2/analysis/1388932143/
https://www.virustotal.com/de/file/9b1ba5c5121b6da67e984db6ecca9235c58fe6bb0545aa70297917fddf5e6ed4/analysis/1388932197/
https://www.virustotal.com/de/file/1d544b61c13a63b115d45fd9e2c8647d179cea8e027148ee48dfd5b421daf6ae/analysis/1388932249/
https://www.virustotal.com/de/file/e7031aaa218f814ec442f7fc5cc545980a537d777db491c425d60f0be3366074/analysis/1388932295/
https://www.virustotal.com/de/file/384d6253d953a4f9888e82111e910411cefed433b2db8dac89a7befb814b15fd/analysis/1388932355/
https://www.virustotal.com/de/file/00b0a356ee36e79f6d11222e833b12b5ff5843e237daaeb897ad6c60f63adff9/analysis/1388932408/
https://www.virustotal.com/de/file/338d943ce59720ece16294a88ce44bf905a1156d65bc035e631577090132ffbd/analysis/1388932452/
https://www.virustotal.com/de/file/5e092470ec616d5b866aab0f1a69309b74a48567eec7a250c9a328901a21a498/analysis/1388932503/
https://www.virustotal.com/de/file/cc3f6c535787c71bed14ec8ac3b6feb59fe3b09fc53c69f1fe592103f2632764/analysis/1388932571/
https://www.virustotal.com/de/file/2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80/analysis/1388932677/
https://www.virustotal.com/de/file/97093a1ef729cb954b2a63d7ccc304b18d0243e2a77d87bbbb94741a0290d762/analysis/1388932796/
https://www.virustotal.com/de/file/d0afe5b8470b5884f6133a8da4b6b20d06384149da8a4ffad5a7e8b19a259d9f/analysis/1388932865/
https://www.virustotal.com/de/file/93df64cc0ff902ad1e80ada56023610ec2c44c3ecde2d36d37a3a748c7fd42bd/analysis/1388932927/
https://www.virustotal.com/de/file/8132f80f6e82b84c06d1bd8c8a40902d53be94e1262acc71bb3e36df57eecd8f/analysis/1388932990/

Last one is just a text filw with an IP in it.
IP Scan: https://www.virustotal.com/de/url/580cef0b6d5c984a99a111d960a6a33bad324efc1a76ed92ee911601ee53cdf6/analysis/1388933253/

Many thanks for taking the time to do this.

No problem.

These are script files i think, so they are executed in Terminal or via browser.
Or maybe with some else program. Cant get them to run here under Ubuntu 13.10 with latest updates.

One of the malware files is running in memory. (Screenshot)

Also Ubuntu is unable to connect to my GMail Account. (Screenshot)

I’m no malware expert, but when I come across references to linux malware I try to check to see which scannners detect it. This sample doesn’t imply any reason to switch from my current scanner (comodo).

Thanks again.

I think you’ll find you have a bunch of False Positives. :wink:
(EDIT:Steven Winderlich I take it you’re running windows, and Ubuntu as a Dual Boot setup, and have scanned your Linux partition with Avast! for Windows ?
Try installing the Linux scanner into Ubuntu, and running it.
It’s very uncommon to have anything but ‘Windows’ viruses in Linux, which are harmless, and can be simply cleaned using Avast4Linuxworkstations.
)
Regards,

Tony.

This is a problem relating to a URL we had a while back.

The best action to take is described in my quote:
http://forum.avast.com/index.php?topic=141439.msg1032132#msg1032132

Hi Abraxas,

no this is a virtual machine created with virtualbox, i would never ruzn Linux Malware on a dualboot system. :slight_smile:

But maybe i will set up a Linux system like OpenSUSE or something
on my grandpas computer and maybe i will head over to linux too. But im not sure yet.

Hi Steven Winderlich,

you may have confused some issues raised by the OP.
alan1998:

Hi, I do malware sampling with Steven and Polonus. I found 15 undetected files all for Linux. Where do I report them and too who? I'm using Avast! for Windows. So that'd be useless.
Note: As I am not familiar with Linux malware, I don't know what an "exe" file is in comparison to windows. So the rest of the files might just be random files.
To clarify that statement, linux does not use 'exe' files. This whole post is rather confused and misleading: Statements such as Linux Malware need to be backed up with a running Linux DE, stating found Malware, and why it is thought to be Linux Malware, which is quite an involved task. Much moreso than processing what is known Windows Malware ;)

I believe what you’re seeing is Windows Malware, running in virtualbox, in or your Host Windows.

All viruses found by us running on our Linux DE’s are Windows viruses, which are unable to execute, as they are based on an"exe" file, which don’t run in linux.

The main purpose of running a Virus scanner like Avast!4linuxworkstations is so as not to transmit windows executable malware from a Linux system, to a friend who is using Windows. Transmission can be made via Email, or file sharing, etc.

Best Regards,

Abraxas

Re-Read what I said again. I said "I don’t know what an “exe” file in comparison to Linux is.

Some file must have the properities to be luanched right? Whatis that file extension? Windows is .exe or .jar.

Hence, I don’t know if it’s malware. 3 of the files where detected already. It came inside a ZIP folder into my Windows PC. They were included. Like for FRST to run a fixlist. It has to be in the same location.

Also, why did you bring back an old thread when it had aslready been dealt with?

Re-Read what I said again. I said "I don't know what an "exe" file in comparison to Linux is. Some file must have the properities to be luanched right? Whatis that file extension? Windows is .exe or .jar.

Hence, I don’t know if it’s malware. 3 of the files where detected already. It came inside a ZIP folder into my Windows PC. They were included. Like for FRST to run a fixlist. It has to be in the same location.

Lets make it really simple: There has not been as yet any Linux Malware. As I said, what is found on Linux is Windows Malware.

Also, why did you bring back an old thread when it had aslready been dealt with?
In what manner was it dealt ? Did you contact as I suggested: Avast! Support [AVAST Software a.s.] https://support.avast.com/Tickets/Submit/RenderForm

Sorry, we can’t have such a slow sub-Forum as this with pending problems. I get a RSS feed, I make a suggestion, a certain amount of time goes by, you hadn’t confirmed your findings with the Avast! Engineer, so I had to try to draw the conclusion.

Be very assured, as I say for the third time there are no widespread Linux Malware. We Scan to find Windows Malware, so as not to transmit what is as you’d kno already epidemic Windows Malware.

Best Regards,

Abraxas. pclinuxos.com

Hi, do you work for Avast!? I contacted them with that. Can you explain with Avast! detected them as ELF and UNIX malware? I’d sure like to know, as that isn’t windows.

http://en.wikipedia.org/wiki/Executable_and_Linkable_Format

Can you explain Malwarebytes reply to me reporting it?

https://forums.malwarebytes.org/index.php?showtopic=139571#entry772499

"Malwarebytes doens’t run on LINUX or UNIX thus making it look like LINUX malware. Not windows.

Michael (alan1998), hey there.
With respect, I’m having trouble following you. First, I’ve never even heard of any spyware that affects Linux.
Linux is a very Secure Operating System.
Read this: http://www.linuxclues.com/articles/21.htm

Hi, do you work for Avast!? I contacted them with that. Can you explain with Avast! detected them as ELF and UNIX malware? I'd sure like to know, as that isn't windows.
An Avast Engineer must analyse your submissions, as the Avast Scanner made the discovery, and report to you their findings, if that's happened please post said report so we may all peruse what they had to say. Thanks. :D


Can you give any example of the Malware you had on your System, and what it tried to do to your system. Did it report info to a IP address, or alter any System settings, or permissions ?

Please be patient, as Windows users we see Malware everywhere. It’s certainly not the case with a Linux Desktop.
New Linux users just can’t seem to shake the paranoia associated with Windows. But, they soon learn, that the rules are simply different using Linux as opposed to Windows.

You ask how does a programme start in Linux ? Simply, you call it by its name.
Say I want to start Firefox, I would open a Terminal, and type in ’ firefox %u '.
That will launch firefox. Or I can create a ‘Launcher’, like a Windows Shortcut.
But I do so as a User, with restricted permissions, not as root, (Admin) which is the basis of Linux.
Not leaving a door open for a hacker to enter.

I suggest going to some Linux Forums with your Malware. I’ve never come across any so I’m of little help, next to useless really.
I searched this Forum, “Linux Malware” :

http://myphotos.mypclinuxos.com/images/Abraxas012X/linuxmalware.png

I did a little searching: Have you ever had or suspected malware to be on your Linux system?
http://www.linux.org/threads/malware-and-antivirus-systems-for-linux.4455/page-2#post-14801

Also VirusTotal states with all the files I checked: "Probably harmless! There are strong indicators suggesting that this file is safe to use. " ::slight_smile:

What is VirusTotal
"VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

"As previously stated, VirusTotal also aggregates the output of a number of file and URL characterization tools. These tools cover a wide range of purposes, ranging from providing structural information about Microsoft Windows portable executables (PEs) to identifying signed software.
"VirusTotal: second opinion, not a product substitute

VirusTotal is not a substitute for any antivirus/security software installed in a PC, since it only scans individual files/URLs on demand. It does not offer permanent protection forusers’ systems either. At VirusTotal we think of our service as a second opinion regarding the maliciousness of your files/URLs.

Although the detection ratio achieved by the use of multiple antivirus engines/URL scanners is far superior than that offered by just one product, these results DO NOT guarantee the harmlessness of a file/URL. Moreover, the aggregate amount of false positives of multiple solutions is higher than that of any individual scanner…"

I have not a lot more to say.
This Sub-Forum is for the Avast4Linuxworkstations, and other Server Scanners provided by Avast.

Read the Forum, it isn’t at all like the Avast Windows Forums. In fact it’s basically a dead horse as far as activity, dynamics, and innovation. http://forum.avast.com/index.php?topic=120603.0

But it is a gateway to Avast for linux scanners.

Any reporting of viruses will need to be sent to the already meantioned;
Avast! Support [AVAST Software a.s.] https://support.avast.com/Tickets/Submit/RenderForm

Best Regards,

Abraxas